[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: review of "Issues and Fixes"
As defined in [RFC 2865] Table 5.44, Access-Request packets MAY
contain a State attribute. We extend that definition here, to say
that Access-Request packets that contain an authentication attribute
or a Service-Type attribute with the value Call Check (10) MAY
contain a State attribute. Access-Request packets not matching the
above description MUST contain a State attribute.
The term authentication attribute is not defined. What is an
authentication attribute? Is Message-Authenticator an authetication
attribute?
RFC 2865, Section 4.1 says:
" An Access-Request MUST contain either a User-Password or a CHAP-
Password or a State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow
other kinds of authentication information to be conveyed, the
attribute for that can be used in an Access-Request instead of
User-Password or CHAP-Password."
RFC 2869 Section 2.2 says:
" Only one of User-Password, CHAP-Password, or ARAP-Password needs to
be present in an Access-Request, or one or more EAP-Messages.
If the RADIUS server does not support ARAP it SHOULD return an
Access-Reject to the NAS."
Based on this, User-Password, CHAP-Password, EAP-Message and ARAP-Password
should fall in the list of authentication attributes. Based on RFC 4590, a
Digest-Response Attribute also qualifies. Not sure whether
Message-Authenticator falls into "other kinds of authentication
information."
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>